Cookie-based
Browser sends cookies during handshake. Works with existing session cookies. Requires same-origin or SameSite=Lax.
Advertisement
Query-string token
const ws = new WebSocket('wss://example.com/ws?token=' + jwt);Simple. Downside: tokens land in server logs. Use short-lived tokens.
Advertisement
Subprotocol token
new WebSocket(url, ['token.' + jwt]);Token in Sec-WebSocket-Protocol. Not logged like query strings. Bit of a hack — that field wasn't designed for auth.